Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Remote Wi-Fi Attack Backdoors iPhone 7

Google’s Project Zero released a proof-of-concept attack against a Wi-Fi firmware vulnerability in Broadcom chips that backdoors the iPhone 7. The flaw was patched in iOS 11.

Google on Tuesday disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability in Broadcom chipsets patched this week in iOS 11. The attack enables code execution and persistent presence on a compromised device.

“The exploit gains code execution on the Wi-Fi firmware on the iPhone 7,” said Google Project Zero researcher Gal Beniamini, whose comments were part of a bug report made public Tuesday. “Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” Beniamini said.

Beniamini said his exploit has been tested against the firmware packaged with iOS 10.2 and that it should work on versions up to and including 10.3.3. BCM4355C0 System on Chip with firmware version 9.44.78.27.0.1.56 is affected.

Apple said the bug, CVE-2017-11120, was a memory corruption issue and addressed it in the security update accompanying the release of iOS 11.

The vulnerability lives in Broadcom chips used by Apple in the iPhone and other products, including tvOS used in Apple TV and watchOS used in the Apple Watch. Android also makes use of the same chips, and Google patched the bug in the September Android Security Bulletin.

Beniamini’s original bug report, dated June 12, says the chips are also in Wi-Fi routers and their function is to manage Wi-Fi connections “without delegating to the host OS.” The report explains how an attacker can take advantage of a lack of validation around a particular field and overrun it with a large value.

“While the maximal allowed channel number is 0xE0, by providing a larger value (such as 0xFF), the function above will increment a 16-bit word beyond the bounds of the heap-allocated buffer, thereby performing an OOB write,” Beniamini wrote, adding that the code path exists on several firmware versions including versions present on the iPhone 7 and Samsung Galaxy S7 Edge.

This vulnerability harkens back to Broadpwn, which was disclosed and patched by Google and Apple this summer and explained during a Black Hat talk by researcher Nitay Artenstein of Exodus Intelligence.

Similarly, Broadpwn allows for remote compromise of devices without user interaction, a rarity as Artenstein called it in a report published in late July. He described Broadpwn as a fully remote attack against the BCM43xx Wi-Fi chipsets from Broadcom, and that an attacker could gain code execution on the main application processor in Android and iOS.

Artenstein also explained that the Broadcom chips on mobile devices lack ASLR memory protections, and that the RAM has permissions that allow for read, write and running code anywhere in memory. At the time, he also said there was no integrity check on the firmware, making it easier for an attacker to patch, or replace, the firmware with a malicious version.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.